This snapshot taken on 07/04/2010, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
This is the fifth of seven Security Policies within the HMG Security Policy Framework (SPF); outlining the mandatory security requirements and management arrangements to which all Departments and Agencies (defined as including all bodies directly responsible to them) must adhere. This policy deals with:
Physical security involves the appropriate layout and design of facilities, combined with suitable security measures, to prevent unauthorised access and protection of HMG assets – people, information, materials and infrastructure. This means putting in place, or building into design, measures that prevent, deter, delay and detect, attempted or actual unauthorised access, acts of damage and / or violence, and triggers an appropriate response. For example, effective perimeter fencing and heightened access control measures may deter an attack because of the difficulties of gaining access; CCTV, intruder alarms and Radio Countermeasures might detect an attack in progress and trigger interception; whilst vehicle stand-off, blast proof glazing and postal screening can minimise the consequences of an attack. For detailed guidance on counter terrorist policy, please refer to Security Policy No. 6 - Counter-Terrorism.
Physical security involves a number of distinct security measures which form part of a ‘layered’ or ‘defence in depth’ approach to security, which must take account of the balance between prevention, protection and response. Physical security measures, or products such as locks and doors, are categorised according to the level of protection offered.
The ‘layered’ approach to physical security starts with the protection of the asset at source (e.g. creation, access and storage), then precedes progressively outwards to include the building, estate and perimeter of the establishment. Approach routes, parking areas, adjacent buildings and utilities/services beyond the perimeter should also be considered. To ensure appropriate physical security controls, departments must consider the following factors:
MANDATORY REQUIREMENT 50
Departments and Agencies must adopt a ‘layered’ approach to physical security, ensuring that their physical security policy incorporates identifiable elements of prevention, detection and response.
Critical, sensitive or protectively marked assets should be located in secure areas, protected by a defined security perimeter, with appropriate security barriers and entry controls.
MANDATORY REQUIREMENT 51
Departments and Agencies must use the Physical Security Assessment Questionnaire and the Physical Security Baseline Controls Matrix to identify appropriate physical security measures.
MANDATORY REQUIREMENT 52
Departments and Agencies must ensure that protectively marked or valuable material is secured in appropriate security containers. Large amounts of protectively marked material or equipment, which cannot be stored in a security container, must be stored in a secure room.
Where there is a need to store large amounts of inherently valuable removable items, a Strong Room should be used.
MANDATORY REQUIREMENT 53
Departments and Agencies must ensure that windows, doors, locks and entry controls meet appropriate security standards in rooms holding protectively marked material or sensitive assets.
A clear desk policy is recommended in all office areas (particularly in open plan or shared office areas). This is primarily to ensure that sensitive material is not left unattended. Where it is not possible to implement a full clear desk policy, a risk-based approach should be adopted and the decision recorded in the appropriate Risk Register. The same principle should apply to computer screens and other office areas used to display potentially sensitive information, such as walls, pinboards etc. Computer screens should not be sited where they could be illicitly viewed (e.g. overlooked by windows or reflective surfaces).
MANDATORY REQUIREMENT 54
In office areas (particularly open plan and shared areas), Departments and Agencies must put in place procedures to avoid access to protectively marked material by individuals who do not have a ‘need to know’.
For the purpose of assessing security risks to a building, buildings are rated according to their level of resistance to forced or surreptitious attack and blast protection. In any building in which protectively marked or other valuable assets are stored, there should be as few points of exit and entry as the functions of the site and safety will allow. Where these exist, physical security controls, such as window bars, grilles, shutters, security doors etc, should be installed. The effectiveness of such controls may be enhanced by the use of intruder detection systems or guard services.
When choosing from the many physical security measures available, Departments should ensure that security controls are able to mitigate violent acts and deter, detect or delay intrusion – those who are not deterred should be forced to use tools and methods that facilitate detection and delay.
MANDATORY REQUIREMENT 55
Departments and Agencies must assess the security risks to their estate ensuring that security is fully integrated early in the process of planning, selecting, designing and modifying their facilities.
Access control refers to the practice of controlling and monitoring access to a property or asset. Physical access control can be achieved through a combination of manned guarding, and mechanical or technical means. When deciding which access control measures to deploy, Departments must ensure that they consider the security measures in an integrated manner, such as combining automated access control systems with photo passes and CCTV.
Frontline staff such as security guards and receptionists play a vital role in controlling access, but to be fully effective, they may need to be supported by:
Frontline staff are likely to be exposed to a higher level of risk than others. This should be considered in the risk assessment and additional protections should be put in place as required.
MANDATORY REQUIREMENT 56
Departments and Agencies must control access to their estate using safeguards that will prevent unauthorised access.
MANDATORY REQUIREMENT 57
Departments and Agencies must have plans and procedures for dealing with and intercepting unauthorised visitors or intruders. Such plans must include the ability to systematically search the establishment if necessary.
MANDATORY REQUIREMENT 58
Departments and Agencies must ensure that access control policies are made available to all staff, and that staff are briefed on their personal responsibilities (e.g. wearing a pass at all times, escorting visitors and searching their work area if required).
Delivered items can include letters, packets and parcels and may contain:
Anyone receiving a suspicious delivery is unlikely to know exactly which type it is, so procedures should cater for every eventuality.
MANDATORY REQUIREMENT 59
Departments and Agencies must have appropriate procedures in place for screening incoming mail/deliveries for suspicious items.
Manned guarding is a key element of integrated physical security. Guards provide deterrence against hostile activity and facilitate a rapid response to security incidents.
Guards may either be directly employed by a government department or agency, or be employed by a commercial guard force. Guard duties and the need for, and frequency of, patrols should be decided by considering the level of threat and any other security systems or equipment that might already be in place.
MANDATORY REQUIREMENT 60
Departments and Agencies must consider the use of guard forces to protect the assets they hold. Where guards are deployed the GSZ Manned Guarding Services Manual is considered best practice.
A perimeter may be defined by a natural boundary, vehicle barriers such as bollards, by free-standing fences or walls, or by the outer walls of a building or divisions inside it. The security function of a perimeter is to provide a degree of physical, psychological and / or legal deterrence to intrusion, as well as providing a defined scope of physical responsibility.
MANDATORY REQUIREMENT 61
Departments and Agencies must establish a secure perimeter, with appropriate security barriers and entry controls. Perimeters should offer physical protection from unauthorised access, damage and interference and allow for the quick identification of suspicious individuals or unusual items.
A perimeter's effectiveness as a security measure can be enhanced by the deployment of Perimeter Intruder Detection Systems (PIDS), Closed Circuit Television (CCTV), security lighting and / or guard forces. Perimeters can also be strengthened, particularly against vehicle borne threat, by installing more robust fencing or other barrier systems. In deciding which perimeter security measures to deploy, Departments and Agencies must ensure that they consider the security measures in an integrated manner. Security lighting is a relatively effective and low cost deterrent but the use of more expensive systems, such as PIDS and CCTV, should be considered when a higher level of protection and detection is required.
MANDATORY REQUIREMENT 62
Departments and Agencies must produce a detailed Operational Requirement before deciding to deploy a security measure, particularly when purchasing a system or security product. This should clearly define what the system is expected to achieve.
MANDATORY REQUIREMENT 63
The deployment of CCTV must be in accordance with the Data Protection Act 1998.
Departments and Agencies should be particularly aware of the Data Protection Act Principles and the Information Commissioner's Code of Practice on CCTV, which is published under the Act.